News

May 22, 1998

PRESS BRIEFING BY RICHARD CLARKE, NATIONAL COORDINATOR FOR SECURITY, INFRASTRUCTURE PROTECTION, AND COUNTER-TERRORISM; AND JEFFREY HUNKER, DIRECTOR OF THE CRITICAL INFRASTRUCTURE ASSURANCE OFFICE




                           THE WHITE HOUSE

                    Office of the Press Secretary
________________________________________________________________
For Immediate Release                               May 22, 1998     

                          PRESS BRIEFING BY
                           RICHARD CLARKE,
	      NATIONAL COORDINATOR FOR
     SECURITY, INFRASTRUCTURE PROTECTION, AND COUNTER-TERRORISM;
                         AND JEFFREY HUNKER,
      DIRECTOR OF THE CRITICAL INFRASTRUCTURE ASSURANCE OFFICE 

                          The Briefing Room


3:50 P.M. EDT


	     MR. RUBIN:  This is a briefing on the initiatives the 
President announced earlier today in Annapolis.  The briefers will be 
Richard Clarke, the National Coordinator for Security, Infrastructure 
Protection and Counter-terrorism; and Jeffrey Hunker, Director of the 
Critical Infrastructure Assurance Office.  Thanks.

	     MR. CLARKE:  Thank you.  I'll keep this brief.  You 
heard the President's speech in Annapolis, and you've seen the text.  
The announcements are based on two national security directives that 
he signed yesterday, and you have fact sheets on those.  Let me just 
run through quickly the three components that come out of those two 
directives.

	     One, created the system of program management for 
security issues and counter-terrorism issues.  Program management 
that focuses on lead agencies, lead agencies being clearly 
identified, what agency has the responsibility for the federal 
government to lead the interagency process on each issue relevant to 
security and counter-terrorism.  The lead agency should in turn then 
identify a program plan with goals and specific milestones.

	     The second element, and the subject of PDD 63, is 
critical infrastructure protection, or cyber-security.  For the first 
time, a President said that critical infrastructure protection, 
cyber-security, was a national security issue.  He called for the 
creation of a national protection plan over the course of the next 
three years to raise our defenses against cyber-attack.  And he 
called for a unique, and in his words, genuine private-public 
partnership, because the critical infrastructure which could be 
attacked, the electrical power grids, the telecommunications grids, 
are privately owned and operated.  And therefore the government 
cannot unilaterally create a defensive structure for critical 
infrastructure.

	     Moreover, the government doesn't have the solution.  The 
government, under the President's directive, will work cooperatively 
with the private sector to develop the National Protection Plan.  
We're not saying we have the answers; we're looking forward to a 
genuine partnership with the private sector to develop the answers.
	     
	     The third element of the two directives was an 
initiative on weapons of mass destruction consequence management, 
particularly biological weapons.  And there are four elements to 
that.
	     

	     First, the improvement of a national surveillance system 
based on the public health system around the country to detect and 
diagnose not only emerging infectious diseases but also a possible 
biological weapons use.
	     

	     Secondly, a response capability to give local 
authorities the equipment, the training necessary to deal with an 
emergency involving biological weapons or chemical weapons.
	     
	     Thirdly, a program for the first time to procure 
stockpile around the country for the civilian population -- 
vaccinations and specialized medicines to protect against biological 
weapons.
	     
	     And the fourth element, a research and development 
program focusing on genome mapping of pathogens so that we'll be able 
to use the new techniques in bioengineering and genetic engineering 
to develop better medicines and better vaccinations to protect 
against the new advances in biological warfare that can occur using 
genetic engineering.
	     
	     So those are the three elements of the program.  We have 
issued fact sheets on all of them, but we'll be glad to take any 
questions you might have.
	     
	     Q	  What kinds of vaccines and special medicines are 
going to be stockpiled?
	     
	     MR. CLARK:  The President has asked the Secretary of 
Health and Human Services to come back with an answer to those 
questions in the very near future.  In the discussions to date, HHS 
-- which really is the expert on this, and I would refer you to -- 
but HHS has focused on medicines designed to deal with anthrax and 
with smallpox.
	     
	     Q	  Anthrax and smallpox?
	     
	     MR. CLARK:  Primarily.
	     
	     Q	  Could you say what companies have agreed -- private 
companies have agreed to take part?
	     
	     MR. CLARK:  There have been no discussions today with 
private companies.  The government is right now sizing the 
requirement, developing a specific requirement level and a multi-year 
program plan.  And it would be inappropriate at this point to have 
discussions with any companies.
	     
	     Q	  Have you got any kind of cost figure for this?
	     
	     MR. CLARK:  That's part of what the President has asked 
HHS to develop, and the Office of Management and Budget is working 
with them to develop, in the very near future, a multi-year phased 
plan that would perhaps begin with funds this year but certainly 
would stretch out over the course of several years.
	     
	     Q	  Will the infrastructure -- the government-based 
infrastructure groups have information that is not available to the 
public, and how will they decide what people in the private sector 
are entitled to this information and which Americans aren't entitled 
to this information?
	     
	     MR. CLARK:  I think it's actually more the other way 
around.  The private sector is going to have information that the 
government doesn't have.  Let me explain why I say that.  The private 
sector is where the critical infrastructure is -- the telephone nets, 
the electric power grids.  They will know far better than the 
government when they're being attacked, when they're being probed, 
what their vulnerabilities are.  And so what we're really trying to 
do is establish a system whereby they are willing to share with the 
government what might be proprietary information, what might be 
information that's protected by privacy rights.  We understand those 
sensitivities, but we also know that unless there's a partnership 
between the government and the private sector, they may not be able 
to develop and design a defense system to protect themselves against 
critical infrastructure cyber-attack.

	     So there's going to have to be a sharing; we're going to 
have to work it out.  But the information will at least be flowing in 
two directions -- I think primarily from the private sector to the 
government. 
	     
	     Q	  Was there a secret drill a few months ago about how 
to respond to a chemical weapons attack?  Can you talk about that for 
a little bit?
	     
	     MR. CLARK:  There was an exercise -- a tabletop as we 
call it -- which means nothing happened in the real world; everyone 
involved was around the table -- there was a tabletop exercise last 
month to examine what might happen in a biological weapons incident.  

	     And the purpose of those kind of exercises -- we've had 
them now for the last four or five years; in fact last year's was on 
cyber-attack; this year's was on biological weapons -- they're 
designed primarily to identify roles and missions.  You say to a 
group from 12 or 13 agencies, if this happened who would do what? And 
you start getting very interesting answers and identify possible 
conflicts in roles and missions, or in some cases you identify that 
it's not clear that anybody thinks it's their responsibility.

	     That was the thrust of the exercise.  It was very 
useful.  As a result of it, the Attorney General has tasked some 
studies.  The Defense Department is doing some.  It's the kind of 
thing that we do routinely, but they're very productive. 

	     Q	  The President said today that intentional attacks 
against our critical systems already are underway.  He was talking 
about cyber-systems there I think.  Is he just talking about hackers 
who are mischievous, perhaps malicious, or is he talking about actual 
terrorists who are already doing that kind of thing?

	     MR. CLARKE:  When there is an attempt to crack into a 
computer system, it's very difficult to know where it's originating.  
The point of origin that shows up on the incoming message may not in 
fact be the actual point of origin.  It's possible to spoof the 
computer so that it thinks it's coming from one place, in fact it's 
coming from somewhere else.  There is also a technique where you can 
bounce through several computers.  It can originate in one, bounce to 
another, bounce to another, bounce to another, and then do the 
attack.

	     So we know that every day in the United States there are 
hundreds of attempts to do nonauthorized intrusions.  Are they for 
purposes of vandalism?  Are they for purposes of industrial 
espionage?  Or are they for purposes of doing reconnaissance of 
systems for a possible future attack?  It's very difficult to know.  
And one of the things that the President's initiative hopes to create 
is a system whereby we can find out what is the baseline on a 
day-to-day basis, who is doing the attacking, and for what purpose.

	     MR. HUNKER:  One of the key conclusions of the 
President's commission that laid the intellectual framework for the 
President's announcement today was that while we certainly have a 
history of some real attacks, some very serious, to our cyber- 
infrastructure, the real threat lay in the future.  And we can't say 
whether that's tomorrow or years hence.  But we've been very 
successful as a country and as an economy in wiring together our 
critical infrastructures.  This is a development that's taken place 
really over the last 10 or 15 years -- the Internet, most obviously, 
but electric power, transportation systems, our banking and financial 
systems.


	     And as we get increased connectivity, each of these 
systems becomes increasingly vulnerable not only to attacks directly 
against it, but also to the secondary effects of attacks that might 
affect a system elsewhere -- very similar to what we saw with the 
kind of cascading collapse of electric power in the West last year.  
We could see that also on the electronic basis as well.  So we 
certainly have threats and a history of threats that's out there, but 
the real challenge and the real concern is for the future. 

	     Q	  Do you have any evidence that the Chinese 
government might have been behind the recent hacker attack, 
penetration of the Pentagon? 

	     MR. CLARKE:  I think any particular hacker attack is 
best discussed either with the Pentagon or the Justice Department.  
One thing that we should make clear is that the White House 
involvement in critical infrastructure is at the policy level; It is 
not at the operational level.  And it's not just inappropriate for us 
to answer questions about specific attacks, we really often don't 
know.

	     Q	  Is there going to be legislation proposed in 
connection with these directives, or does the President have all the 
authority he needs just on an executive basis?

	     MR. CLARKE:  As I said, the President has asked the 
Office of Management and Budget to work with the Department of Health 
and Human Services to look at a multi-year program on the biological 
weapons protection front, and that will undoubtedly result in some 
appropriations.  In terms of new authorities, the Attorney General 
has asked her staff to look at the biological weapons issue to see if 
there are new authorities -- legislative authorities needed.  And 
part of the work that Jeffrey's office will be doing with the Justice 
Department on the cyber side is trying to see whether or not new 
legislative authority is needed to do cyber-protection.

	     Q	  Is there any way to protect against the satellite 
failure that we had a couple of days ago?

	     MR. CLARKE:  Well, we don't really know yet what 
happened.  At least I don't know what happened.  And until we do, 
it's going to be a little difficult to say how you could protect 
against that.  I think we're best waiting to see what happened.  
That's a clear case of the private sector being critical to our 
national infrastructure.  A satellite owned and operated entirely by 
a private company, and nonetheless having an enormous effect 
nationwide as a single point of failure.  It's a very good example of 
how there are single points of failure that we don't even know about 
because of the growth of our infrastructure, the rapid growth of our 
infrastructure, and the fact that, frankly, we haven't been thinking 
as a nation about the critical infrastructure, the vulnerability of 
it, the fragility of it, the interdependence that has been generated 
over the course of the last five or 10 years. 

	     Q	  When I was asking you about private industry 
cooperation, I was talking about in terms of infrastructure 
protection.  I thought that Dell and some other companies, Bell 
South, IBM, you had had discussions with them.  Is that not true?

	     MR. CLARKE:  In the course of the President's commission 
work last year, the President's commission had discussions with 
hundreds of private companies, in the telecommunications area, the 
electric power area, the computer area.  Yes, absolutely.  And what 
we're hoping to do now is to continue that dialogue to find out from 
them what they think their vulnerabilities are, to help them assess 
what their vulnerabilities are, and to find if there isn't a way for 
us together, government and private sector, to coordinate our efforts 


in research and development, to coordinate our efforts in information 
sharing, so that we can raise higher the barriers of defense for 
critical infrastructure and cyber-security nationwide. 

	     Q	  But you don't consider that as part of this effort.  
It's not going on now.

	     MR. CLARKE:  It was underway throughout the work of the 
President's commission.  Now that the President has issued this 
national security directive calling for a public-private partnership, 
it will be underway again.
	     
	     MR. HUNKER:  Let me add to that.  Critical 
infrastructure is unique in that we have interest from the Defense 
Department and the defense community, the intelligence and the law 
enforcement community, but this is also an economic agenda as well.  
The safe, efficient, secure functioning of electronic and information 
technologies is a prime foundation, is a critical foundation, for the 
economic growth that we've had.  There are statistics that suggest 
over the last five years that 25 or more percent of the economic 
growth we've seen has come out of information technologies.

	     So, when we talk in terms of critical infrastructure 
protection and cyber-protection, we're talking first and foremost 
about good business practices for the companies and the industries 
that are providing jobs through information technologies.  We're also 
similarly talking about the fact that it is, in most cases, those 
very same private infrastructures that are providing the basis for 
much of our national defense.  I've seen the statistic -- I don't 
know where it came from -- that suggests that 95 percent of all the 
Defense Department telecommunications requirements are coming off of 
private networks.  This gives you a sense in terms of the real unity 
between our national security interests, traditionally defined, and 
our economic security interests, and the real melding of the two.
	     
	     Q	  There seems to be something of an interface between 
what you're talking about and what Treasury has been talking about 
regarding the way that the markets operate today and the tremendous 
amount of money that's moving back and forth.  I was wondering if 
these kinds of problems entered into your considerations -- you 
mentioned the connection between economics and national security -- 
and how you viewed that situation, how to protect against attacks on 
the U.S. financial system?
	     
	     MR. CLARKE:  Well, Jeffrey is probably better situated 
to answer that question, but I'll joint point out, as it says in the 
fact sheet, in the President's directive, what he calls for is a 
public-private partnership sector by sector throughout the economy.  
And he identifies specific sectors.  One of them is banking and 
finance.  And he designates the Treasury Department to be the federal 
lead in organizing the U.S. government effort to talk to the banking 
and financing sector and work out mutually a way of improving their 
cyber-defenses.
	     
	     Thank you.

             END                          4:05 P.M. EDT